On his weblog for January 19th Martin McKeay describes how HR munged his job description and requirement before publishing it on Dice.

It's very interesting to read the HR version of the job description. I was asked to comment on the job description several weeks ago and I tried to modify it to match what I really do. Some of my changes were ignored, others were modified heavily and, as always happens, the job description put on Dice only marginally describes the position I've filled for the last 16 months.

I recall one preliminary interview with HR at one of Canada's largest financial institutions. I was asked asked about experience with a huge shopping list of products. Many of the products had been unavailable for years, the companies behind them long gone. The HR-droid was visibly upset when I pointed this out and asked if these were currently in use there. Looking back I suspect that he'd 'researched' this list himself. Any manager would have known that these products were long out of date. I suspect that the HR-droid was trying to show aggressive 'due diligence'.

At another bank at another time but in the same city I was passed from a head-hunter, through HR to an interview with the hiring manager. HR had failed to forward my resume but I had a copy, After looking it over the manager asked if I had the job description. I gave him the copy the head-hunter had sent me. He read it, then turned to his computer and printed off the description he had given to HR. The two had only a few lines in common - HR had edited it out of all recognition.

The "Anne Learns to Recruit" model seems to be reflected in other ways. Many job descriptions for security staff - again see any one of job boards for plenty of examples - ask for long lists of such 'skills', protocols, languages and so forth. These are technical skills and IT skills at that. Security is about business, about management (and risk management in particular), not technology. If they don't want to see those long skill lists why do they ask for them? Simple. See my rants elsewhere about metrics. They have a list and they can rate you by ticking off items on that list. The guy with the most ticks wins.

As Martin goes on to say:

I have yet to see a security job description that accurately describes the position. We do so many disparate things as security professionals that it's hard to boil it all down to a one page description. So much of it depends on the needs of the moment, things change on a daily basis, requiring new hats to be worn almost daily. I've done so many of the things listed in description, but the job is also so much more.

Ironically, a good security guy is, as we often say, "paid to be paranoid". Good risk management means being aware of the problems and making sure they are dealt with, be it by any one of the "Three A's" - Accept, Avoid, Assign. Ironically, though, I've found that this attitude comes across as being 'negative' to many head-hunters and recruiters, who are used to dealing with keen and bouncy - and younger and I suspect less mature - IT applicants. I've been repeatedly told that I have a negative outlook; never mind that I'm an auditor, never mind that I'm in the business of finding flaws before the bad guys do so they can be corrected. Never mind that we know that a priori the software and system has risk factors and we'd better find them and mitigate them.

And of course this 'negative' attitude often means head-hunters are unwilling to submit me for positions I'd excel at.

As a corollary, I pity the managers who have to deal with the people with a "positive" attitude that the head-hunters do send through.

Perhaps we need to make it more clear to the recruiting profession that security is not an adjunct to IT. There are no shortage of papers and glossy magazine articles emphasising this. As security professionals we know, for example, that the CISO should report to the board and not to the CIO. But we need to get the message across to recruiters.